Panorama Web Interface Access Privileges

The custom Panorama administrator roles allow you to define access to the options on Panorama and the ability to only allow access to Device Groups and Templates (Policies, Objects, Network, Device tabs).
The administrator roles you can create are Panorama and Device Group and Template. You can’t assign CLI access privileges to a Device Group and Template Admin Role profile. If you assign superuser privileges for the CLI to a Panorama Admin Role profile, administrators with that role can access all features regardless of the web interface privileges you assign.
Access Level
Description
Enable
Read Only
Disable
Dashboard
Controls access to the Dashboard tab. If you disable this privilege, the administrator will not see the tab and will not have access to any of the Dashboard widgets.
Yes
No
Yes
ACC
Controls access to the Application Command Center (ACC). If you disable this privilege, the ACC tab will not display in the web interface. Keep in mind that if you want to protect the privacy of your users while still providing access to the ACC, you can disable the PrivacyShow Full IP Addresses option and/or the Show User Names In Logs And Reports option.
Yes
No
Yes
Monitor
Controls access to the Monitor tab. If you disable this privilege, the administrator will not see the Monitor tab and will not have access to any of the logs, packet captures, session information, reports or to App Scope. For more granular control over what monitoring information the administrator can see, leave the Monitor option enabled and then enable or disable specific nodes on the tab as described in Provide Granular Access to the Monitor Tab.
Yes
No
Yes
Policies
Controls access to the Policies tab. If you disable this privilege, the administrator will not see the Policies tab and will not have access to any policy information. For more granular control over what policy information the administrator can see, for example to enable access to a specific type of policy or to enable read-only access to policy information, leave the Policies option enabled and then enable or disable specific nodes on the tab as described in Provide Granular Access to the Policy Tab.
Yes
No
Yes
Objects
Controls access to the Objects tab. If you disable this privilege, the administrator will not see the Objects tab and will not have access to any objects, security profiles, log forwarding profiles, decryption profiles, or schedules. For more granular control over what objects the administrator can see, leave the Objects option enabled and then enable or disable specific nodes on the tab as described in Provide Granular Access to the Objects Tab.
Yes
No
Yes
Network
Controls access to the Network tab. If you disable this privilege, the administrator will not see the Network tab and will not have access to any interface, zone, VLAN, virtual wire, virtual router, IPsec tunnel, DHCP, DNS Proxy, GlobalProtect, or QoS configuration information or to the network profiles. For more granular control over what objects the administrator can see, leave the Network option enabled and then enable or disable specific nodes on the tab as described in Provide Granular Access to the Network Tab.
Yes
No
Yes
Device
Controls access to the Device tab. If you disable this privilege, the administrator will not see the Device tab and will not have access to any firewall-wide configuration information, such as User-ID, High Availability, server profile or certificate configuration information. For more granular control over what objects the administrator can see, leave the Device option enabled and then enable or disable specific nodes on the tab as described in Provide Granular Access to the Device Tab.
You can’t enable access to the Admin Roles or Administrators nodes for a role-based administrator even if you enable full access to the Device tab.
Yes
No
Yes
Panorama
Controls access to the Panorama tab. If you disable this privilege, the administrator will not see the Panorama tab and will not have access to any Panorama-wide configuration information, such as Managed Devices, Managed Collectors, or Collector Groups.
For more granular control over what objects the administrator can see, leave the Panorama option enabled and then enable or disable specific nodes on the tab as described in Provide Granular Access to the Panorama Tab.
Yes
No
Yes
Privacy
Controls access to the privacy settings described in Define User Privacy Settings in the Admin Role Profile.
Yes
No
Yes
Validate
When disabled, an administrator cannot validate a configuration.
Yes
No
Yes
Save
Sets the default state (enabled or disabled) for all the save privileges described below (Partial Save and Save For Other Admins).
Yes
No
Yes
  • Partial Save
When disabled, an administrator cannot save changes that any administrator made to the Panorama configuration.
Yes
No
Yes
  • Save For Other Admins
When disabled, an administrator cannot save changes that other administrators made to the Panorama configuration.
Yes
No
Yes
Commit
Sets the default state (enabled or disabled) for all the commit, push, and revert privileges described below (Panorama, Device Groups, Templates, Force Template Values, Collector Groups, WildFire Appliance Clusters).
Yes
No
Yes
  • Panorama
When disabled, an administrator cannot commit or revert configuration changes that any administrators made, including his or her own changes.
Yes
No
Yes
  • Commit for Other Admins
When disabled, an administrator cannot commit or revert configuration changes that other administrators made.
Yes
No
Yes
Device Groups
When disabled, an administrator cannot push changes to device groups.
Yes
No
Yes
Templates
When disabled, an administrator cannot push changes to templates.
Yes
No
Yes
Force Template Values
This privilege controls access to the Force Template Values option in the Push Scope Selection dialog.
When disabled, an administrator cannot replace overridden settings in local firewall configurations with settings that Panorama pushes from a template.
If you push a configuration with Force Template Values enabled, all overridden values on the firewall are replaced with values from the template. Before you use this option, check for overridden values on the firewalls to ensure your commit does not result in any unexpected network outages or issues caused by replacing those overridden values.
Yes
No
Yes
Collector Groups
When disabled, an administrator cannot push changes to Collector Groups.
Yes
No
Yes
WildFire Appliance Clusters
When disabled, an administrator cannot push changes to WildFire appliance clusters.
Yes
No
Yes
Tasks
When disabled, an administrator cannot access the Task Manager.
Yes
No
Yes
Global
Controls access to the global settings (system alarms) described in Provide Granular Access to Global Settings.
Yes
No
Yes

Related Documentation